PasswordWallet FAQ

How are the passwords stored?

When you create your master password the app creates a key derived from the entered master password. The input for this algorithm is the master password and an app specific key. This is the so called master key. The master password itself is not stored on the disk, only the master key. When you enter your master password the same algorithm is running and it checks whether the algorithm returns the master key.  This is done by the PBKDF2 key derivation function implemented by Microsoft in the Windows.Security.Cryptography namespace.

When you enter a domain name/username/password triple then there are three other keys derived from the master key and one of these items. The first derived key is derived from the master key an app specific salt and one of these items. The second one is derived from the master key and the first derived key and another app specific salt, and so on. Items stored on the disk are then encrypted with AesCbcPkcs7 algorithm implemented by Microsoft (again from the Windows.Security.Crypthographie namespace).

When you open an item in the application and you want to see your username and password the same process is running, but in the opposite direction.

Are the items stored as plain text?

No, see first question.

Is this safe?

The app itself does not invent any new cryptographic technique. It reuses cryptographic algorithms implemented by Microsoft. Key derivation and multiple hashing is used by many other apps and the algorithms used in the app are considered safe today.

How is the copy/paste functionality implemented when the items are not stored in plaintext?

Items are decrypted by the app when you push the copy button, meaning the password will be placed in plain text into the memory. The recommendation is that after you pasted your password you paste something else into the clipboard to override your password on the clipboard. Items which are decrypted will be kept only in memory, they won't be stored decrypted to the disk. Again, the only case when the password leaves the app's protected memory area is when you push the copy button, but this is a valid use case for the app.

Should I put bank account related items into the app?

No! My personal recommendation regarding extreme sensitive data is that you simply memorize them and never ever write them dawn to a paper or store it anywhere.

What kind of passwords do you recommend to put into the app?

For sites and applications which require you to change your password from time to time these kinds of apps can be very useful. If you register for a trial service and you want to have a dedicated password for that (instead of reusing one of your passwords) the app also can be very useful.

What happens when someone has access to the file where the passwords are stored?

In this case to get the passwords this person would also need the master password and the app specific keys.

What happens when someone has access to the file where the passwords are stored and also knows my master password?

This is still not enough to get the passwords thanks to the app specific keys.

Can I change my master password?

Yes, you can do this under "settings'. This feature was introduced in version 3.0.5.0 in Februrary 2015.

What happens when I forget my master password?

In this case you are out of luck. From security reasons there is no reset function or something like that. And you can also not reset it via email, since everything is stored locally on your device (also from security reason). You can change your master password any time, but you always have to know the current master password.

What happens when someone has access to the file where the passwords are stored and also knows my master password plus also has access to my computer with the app?

This is the point where you are out of luck... For these kinds of scenarios i am experimenting with some new biometric security stuff form Microsoft, but at this point this is not implemented in the app.

Is it possible to store more than a Domain/Username/Password combination?

Yes, there is a "Notes" feature in the app, which enables a free text box for additional information for every item. You can turn on this feature under "Settings" -> "Notes". For more information see here the section "Add additional notes to items"

What is the Pro version?

You can purchase the pro version from the app under settings or on the main page by clicking/touching the corresponding button. It removes all the ads from the app plus it has some additional functionalities (see here at section "PasswordWallet Pro").

What does the Pro version cost?

It's 2,99USD.